OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library and recently OpenSSL fixed six severe flaws.
OpenSSL Fixed Six Severe FlawsOn Tuesday, May 3rd OpenSSL release six patches for the vulnerabilities in the OpenSSL, including two dangerous (CVE-2016-2108 and CVE-2016-2107). Hence, this flaws can lead to traffic being decrypted, denial-of-service attacks, and arbitrary code execution.
Vulnerability CVE-2016-2108 is an issue with the ASN.1 parser that triggers a buffer underflow and performs an out-of-bounds write if zero is represented as a negative value and affects the OpenSSL version, released before April the 2015, and consists of two in themselves insignificant errors, which together could pose a serious threat. Under certain conditions, an attacker can execute irrational code remotely. The second dangerous vulnerability (CVE-2016-2107) allows to carry out the attack “man in the middle” and decrypt the data.
However, there was an unrelated bug where the ASN.1 parser could misinterpret a large universal tag as a negative zero value. As the OpenSSL team wrote that “This has been shown to cause memory corruption that is potentially exploitable with some malloc implementations”.
The flaw, CVE-2016-2105, and CVE-2016-2106 affects EVP_EncodeUpdate function. As reported in the security bulletin, the chances of the remotely execute code are very small. The vulnerability CVE-2016-2109 can cause the distribution of large amounts of memory, which will lead to over-consumption of resources or memory overflow. OpenSSL also fixed an oracle padding issue, where attackers could corrupt the plaintext padding around encrypted messages and decrypt traffic.
The final low-severity flaw CVE-2016-2176 is a vulnerability which allows you to call an overload X509_NAME_oneline() function using the EBCDIC systems, resulting in an attacker can get back some of the data. However, this amount of data is almost useless to the attacker.